Information Security as a Business Practice. This paper, written by John Enamait, addresses the role information security plays in an organization with discussions around structure and best practices. By John Enamait. [Infosec Writers Latest Security Papers]
Security Hole Found in Windows Media Player. Microsoft is investigating a new vulnerability in Windows Media Player that could be used to run malicious code on a user’s PC. [PC World: Latest Technology News]
Monthly Microsoft Patch Release Won’t Include Word Fix.
Microsoft Corp. said yesterday that its monthly patch release next Tuesday will include at least six software updates to plug security holes in its Windows operating system and other software.
Missing from the company’s notice, however, is any mention of a software update to fix a dangerous flaw in Microsoft Word that criminals are actively exploiting to break into Windows PCs.
Five of the updates on the list for next week address vulnerabilities in Windows, while a sixth patch would fix a problem with Microsoft Visual Studio 2005 that the company has acknowledged also is being exploited in the wild.
Microsoft said this month’s release will include a large number of non-security, high-priority updates, but it wasn’t more specific on any of those. Check back with Security Fix on Tuesday afternoon for the lowdown.
Time to Update Your Adobe Reader.
Adobe Systemss is urging users who run the company’s Adobe Reader software on Microsoft Windows computers to update to a new version of the popular PDF document viewer, after the company was alerted to several flaws that criminals could exploit to break into computers running the software.
From the Adobe advisory: “Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could — although Adobe is not aware of any specific code exploits at this time — allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious file must be loaded by the end user for an attacker to exploit these vulnerabilities. This issue is remotely exploitable. It is recommended that users update to Adobe Reader 8 or apply the workaround provided below.”
I had Adobe Reader version 7 installed before applying the Adobe Reader 8 update, available for download from this link here. The “check for updates” feature in Reader 7 (select “Help” and the “Check for Updates”) said I had the latest version of Reader — when, of course I did not. So I downloaded the standalone installer, which cheerily replaced the previous version and installed the new one without issue (although it wasn’t speedy, and this was on my super-fast machine).
Adobe says that users who for one reason or another can’t upgrade to Reader 8 should replace a specific file in the program’s directory. Instructions for how to do that are in the Adobe advisory’s “Solution” section.
Most people reading this blog probably have some version of Adobe Reader on their machines that isn’t version 8. Take a moment to check which version you are running (Click “Help,” then “About Adobe Reader” if you’re not sure) and update.
Speakers at the 16th annual review of National Security Law, held
November 30-December 1, 2006, in Washington, D.C., addressed topics
ranging from accountability for actions by private security contractors
on the battlefield to civil litigation against terrorists and their
bankers. Approximately 440 lawyers attended the conference, which was
sponsored by the ABA Committee on Law and National Security, by the
Center for National Security Law at the University of Virginia School
of Law, and by the Center on Law, Ethics, and National Security at Duke
University School of Law. Conference materials, which include several
insightful papers, are available online.
In
a speech at the conference, Representative Jane Harmon, the out-going
ranking member of the House Intelligence Committee, described
Congressional efforts to get executive branch officials to brief the
members of the House and Senate Intelligence Committee about the NSA’s
domestic surveillance program. A video and audio copy of her remarks is
available online.
She said that only after the Senate Intelligence Committee threatened
to delay confirmation hearings regarding General Michael Hayden’s
nomination to serve as CIA Director did executive officials agree to
brief the Intelligence Committees about the NSA program. Ibid. at 15:30
Having received the classified briefing about the NSA program
earlier this year, Representative Harmon said “As one of the few people
outside the White House and NSA briefed into this program, I assure you
that the program can be conducted pursuant to the Foreign Intelligence
Surveillance Act.” Id. at 15:51. Given that Representative Harmon has
heard classified details about the NSA program that the Bush
Administration has refused to disclose publicly, including in the
dozens of pending lawsuits challenging the NSA program, her assertion
that program could be conducted within FISA constraints is important.
It directly contradicts the Administration’s claims that the NSA cannot
run the program in a manner that complies with FISA.
[Privacy and Security Law Blog]
Pirates Hack Vista’s Registration Features. “MelindaGates” hack allows users to activate Vista without alerting Microsoft. [PC World: Latest Technology News]
HP Settlement Pays for IP Enforcement–What’s the Connection?
The California Attorney General just announced a $14.5 million settlement with Hewlett-Packard for its use of pretexting, a type of fraud, to spy on its board members and journalists who were reporting on internal strife at the company. Nothing so surprising thereâo[per thou]the investigation has been going on for a while, and there was no question as to wrongdoing on the part of HP leadership. What[base ‘]s interesting, though, is where that money is going. According to the settlement agreement and the AG[base ‘]s own press release, $13.5 million is going to create a new [base “]Privacy and Piracy Fund,[per thou] which will finance [base “]law enforcement activities related to privacy and intellectual property rights.[per thou]
Now, I[base ‘]d be the first to note that there are intrinsic links between privacy and copyright law and policy, but more often than not, this link comes about because overzealous, self-appointed copyright cops are all too willing to invade users[base ‘] privacy: installing spyware on computers; lobbying for personal information to be web-accessible before registering a domain; and defeating laws that would specifically target actions like HP[base ‘]s pretexting.
[Public Knowledge - Policy Blog]
The number of journalists jailed worldwide for their work rose for the second year with Internet bloggers and online reporters now one third of those incarcerated, a U.S.-based media watchdog said on Thursday.
A Committee to Protect Journalists census found that a record 134 journalists were in jail on December 1 — an increase of nine from the 2005 tally — in 24 countries with China, Cuba, Eritrea and Ethiopia the top four nations to imprison media.
While print reporters, editors and photographers again made up the largest number of jailed journalists — with 67 cases — there were 49 imprisoned Internet journalists, making them the second biggest category, the New York-based committee said.
“We’re at a crucial juncture in the fight for press freedom because authoritarian states have made the Internet a major front in their effort to control information,” Committee Executive Director Joel Simon said in a statement.
“China is challenging the notion that the Internet is impossible to control or censor, and if it succeeds there will be far-ranging implications, not only for the medium but for press freedom all over the world.”
Online Media Representatives Face Jail. OSDNBoss writes “According to the US Watchdog Committee to Protect Journalists a total of 134 journalists were in jail on December 1, 49 of which were Internet journalists. China leads the way with the highest number in jail. I’m sure the censors have already blocked Slashdot and other news and opinion sites in the countries mentioned. It begs the question, however, as the blogosphere grows are online journalists and editors more or less protected than their print and TV counterparts?” From the article: “China is challenging the notion that the Internet is impossible to control or censor, and if it succeeds there will be far-ranging implications, not only for the medium but for press freedom all over the world.” [Slashdot: Your Rights Online]
Information Security [^] Whose Responsibility is It? This paper, contributed by Guillermo Ortiz-Caceres, discusses the responsibility consumers have and how security can be achieved through education of best practices. By Guillermo Ortiz-Caceres. [Infosec Writers Latest Security Papers]